angr 05_angr_symbolic_memory 内存符号化
Posted 漫小牛
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了angr 05_angr_symbolic_memory 内存符号化相关的知识,希望对你有一定的参考价值。
文章目录
05_angr_symbolic_memory是angr的第6个例子,下载位置:https://github.com/jakespringer/angr_ctf
1 解题过程
import angr
import sys
def main(argv):
bin_path = argv[1]
p = angr.Project(bin_path)
start_addr = 0x08048601
init_state = p.factory.blank_state(addr = start_addr)
p1 = init_state.solver.BVS('p1', 64)
p2 = init_state.solver.BVS('p2', 64)
p3 = init_state.solver.BVS('p3', 64)
p4 = init_state.solver.BVS('p4', 64)
p1_addr = 0x0a1ba1c0
p2_addr = 0x0a1ba1c8
p3_addr = 0x0a1ba1d0
p4_addr = 0x0a1ba1d8
init_state.memory.store(p1_addr, p1)
init_state.memory.store(p2_addr, p2)
init_state.memory.store(p3_addr, p3)
init_state.memory.store(p4_addr, p4)
sm = p.factory.simgr(init_state)
def is_good(state):
return b"Good Job" in state.posix.dumps(1)
def is_bad(state):
return b"Try again" in state.posix.dumps(1)
sm.explore(find=is_good, avoid=is_bad)
if sm.found:
found_state = sm.found[0]
pass1 = found_state.solver.eval(p1, cast_to=bytes)
pass2 = found_state.solver.eval(p2, cast_to=bytes)
pass3 = found_state.solver.eval(p3, cast_to=bytes)
pass4 = found_state.solver.eval(p4, cast_to=bytes)
print("Solution: {} {} {} {}".format(pass1.decode("utf-8"), pass2.decode("utf-8"), pass3.decode("utf-8"), pass4.decode("utf-8")))
else:
Exception("Solution not found")
if __name__ == '__main__':
main(sys.argv)
执行如下命令:
python 05.py 05_angr_symbolic_memory
得到solution:
Solution: NAXTHGNR JVSFTPWE LMGAUHWC XMDCPALU
将该Solution作为程序的输入,经验证无误:
(angr) dist$ ./05_angr_symbolic_memory
Enter the password: NAXTHGNR JVSFTPWE LMGAUHWC XMDCPALU
Good Job.
以上是关于angr 05_angr_symbolic_memory 内存符号化的主要内容,如果未能解决你的问题,请参考以下文章